There is a domain example.com

There is a subdomain subdomain.example.com

When I install cookies from JS, with explicit indication of domain=example.com , they automatically appear on subdomain.example.com .

Only MS Edge has this behavior. Does anyone know what's the matter?

  • Can I find out the domain parameter cook? - Qertu Uerty
  • Cookies are installed on JS. Domain is automatically entered according to the page on which the user is located. Therefore, for cookies from the domain www.domain.com parameter domain = domain.com. For www.subdomain.domain.com, domain = subdomain.domain.com. - Antoshka004
  • I will correct the question - now it gives the impression that the cookie is placed on www.example.com, and is also visible on www.subdomain.example.com. - PashaPash ♦

2 answers 2

This is just a feature of the domain matching mechanism in different browsers.

The edge seems to follow the current Proposed Standard, RFC6265, from 2011. It includes the following domain verification rules:

5.1.3. Domain matching

The following conditions hold:

o The domain string and the string are identical. (This can be canonicalized for both countries.)

o All of the following conditions hold:

  * The domain string is a suffix of the string. * The last character of the string that is not included in the domain string is a %x2E (".") character. * The string is a host name (ie, not an IP address).

Those. Cook, delivered with the explicit indication of the domain, is always available in the subdomain. And that's fine.

Cookies for which the domain was not specified are set with host-only-flag, which limits their availability only to the current domain (without subdomains).

Not so modern browsers , trying to follow the outdated RFC2965 from 2000, in which the check looked a bit trickier:

Host A's host

  * their host name strings string-compare equal; or * A is a HDN string and has the form NB, where N is a non-empty name string, B has the form .B', and B' is a HDN string. (So, xycom domain-matches .Y.com but not Y.com.)

Those. subdomains have seen cookies from the main domain only if the value of the domain from the cookie began with a dot.

The trick was that the browser was obliged to add a period to the domain value.

If it is not explicitly defined, it is not clear.

but only if the domain was set via the Set-Cookie header.

If the domain was not explicitly specified, then the cookie was placed on the domain without. at the beginning, and was not available for subdomains. What brought the funniest bugs in Chrome, when the cookie on the client was delivered at the same time as a period and without a period, and it was impossible to remove it from the server.

The case of the installation of cookies through the document.cookie standard is not covered. Some browsers (IE / Edge) add a point automatically. Some - expect that you add it before the domain manually.

In any case, RFC2965 is outdated, so sooner or later, all cookies will become visible to subdomains. In the next answer there is a link to developer.mozilla.org , and even there already said

Contrary to earlier specifications, leading dots in domain names are ignored. If a domain is specified, subdomains are always included.

    If you set a cookie with the domain:

     document.cookie = "test=1; path=/; domain=example.com";

    That, by default, on subdomains including subdomain.example.com this cookie will also be visible .

    If you need the cookie to be visible only on the current domain, then, according to the documentation, you do not need to specify any domain at all. For example:

     document.cookie = "test=1; path=/";
    • This is how I specify: document.cookie = "test=1; path=/"; But in Edge, cookies are still visible on the subdomain. - Antoshka004